docs(runners): remove stale bates-*/rocky8/rocky9 references

[Jesssullivan]

Replace stale runner names with current topology across 7 docs files.

[greptile-apps]

Greptile Summary

This PR replaces stale bates-*, rocky8, and rocky9 runner references with the current tinyland-docker / tinyland-nix topology across 7 docs files, and simultaneously migrates all four OpenTofu stack backends from GitLab's HTTP-based managed state to a RustFS S3-compatible in-cluster store. The deploy workflow is also updated to run on tinyland-docker self-hosted runners and switch backend credentials accordingly.

The backend migration and most documentation renames are correct and consistent. However, a few renames were incomplete or introduced new inaccuracies:

• docs/runners/self-service-enrollment.md — The component descriptions for tinyland-docker-job and tinyland-nix-job still read "Rocky 8 runner job" and "Rocky 9 runner job"; the names were changed but the descriptions were not.
• docs/runners/load-testing.md — The example CI jobs for test-tinyland-docker and test-tinyland-nix still execute RHEL-specific commands (cat /etc/redhat-release, dnf list installed) that would fail on Docker and Nix runner environments.
• docs/runners/migration-guide.md — The renamed TF_VAR_tinyland-docker_runner_token and TF_VAR_tinyland-nix_runner_token environment variable names contain hyphens, which are not valid in POSIX shell variable names and will cause syntax errors if used as written.
• .github/workflows/deploy-arc-runners.yml — The new Install kubectl step fetches a dynamically resolved version from stable.txt with no checksum verification; pinning a version and verifying the SHA256 would improve reproducibility and supply-chain safety.

Confidence Score: 3/5

Safe to merge after fixing the three stale/incorrect doc snippets and the invalid shell variable names in the migration guide.

The backend migration and workflow runner switch are structurally sound. The four issues found are all in documentation or the workflow install step — none will break the Terraform backends or runner infrastructure directly. However, two of the doc issues (RHEL-only test scripts, invalid env var names) would cause real failures if followed literally by a developer, and the stale descriptions undermine the stated goal of removing stale references.

docs/runners/self-service-enrollment.md, docs/runners/load-testing.md, and docs/runners/migration-guide.md each have incomplete or incorrect renames that need a follow-up fix.

Important Files Changed

Filename	Overview
.github/workflows/deploy-arc-runners.yml	Migrates both plan/apply jobs from ubuntu-latest to tinyland-docker, switches backend from GitLab HTTP to RustFS S3, adds kubectl install step — kubectl binary is fetched with a dynamic version and no checksum verification
docs/runners/self-service-enrollment.md	Renames job template keys from rocky8/rocky9 to tinyland-docker/tinyland-nix but leaves their descriptions as "Rocky 8 runner job" / "Rocky 9 runner job" — stale content introduced by this PR
docs/runners/load-testing.md	Renames test jobs from test-rocky8/test-rocky9 to test-tinyland-docker/test-tinyland-nix but the scripts still run RHEL-only commands (cat /etc/redhat-release, dnf) that would fail on Docker/Nix runners
docs/runners/migration-guide.md	Updates runner name references and CI template table; introduces TF_VAR names with hyphens (TF_VAR_tinyland-docker_runner_token) which are invalid in POSIX shell
tofu/stacks/arc-runners/backend.tf	Migrates from GitLab HTTP backend to RustFS S3-compatible backend; endpoint is in-cluster HTTP (expected for self-hosted cluster use)
tofu/stacks/attic/backend.tf	Same GitLab-to-RustFS S3 backend migration as other stacks; also cleans up verbose local-dev comments
tofu/stacks/gitlab-runners/backend.tf	Backend migrated from GitLab HTTP to RustFS S3; consistent with the other stack backend changes
tofu/stacks/runner-dashboard/backend.tf	Backend migrated from GitLab HTTP to RustFS S3; consistent with the other stack backend changes
docs/runners/hpa-tuning.md	Simple runner name replacement (rocky8/rocky9 → tinyland-docker/tinyland-nix); clean change
docs/runners/project-onboarding.md	Updates runner name references in job mapping tables and step verification instructions; straightforward rename
docs/runners/resource-limits.md	Runner names updated in limits table and workload profiles; no substantive changes to values
docs/runners/security-model.md	Single line update replacing rocky8/rocky9 with tinyland-docker/tinyland-nix in the unprivileged runner list

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant Runner as tinyland-docker (self-hosted)
    participant RustFS as RustFS S3 (attic-rustfs-hl.nix-cache.svc:9000)
    participant Civo as Civo Cloud

    GH->>Runner: Trigger plan/apply job
    Runner->>Runner: setup-opentofu (wrapper: false)
    Runner->>Runner: Install kubectl (dynamic stable version)
    Runner->>Runner: Install Civo CLI
    Runner->>RustFS: tofu init (access_key + secret_key)
    RustFS-->>Runner: State fetched (tofu-state/arc-runners/terraform.tfstate)
    Runner->>Civo: tofu plan / tofu apply
    Civo-->>Runner: Infrastructure response
    Runner->>RustFS: State written back
    Runner-->>GH: Job result + plan artifact

Loading

_{Reviews (1): Last reviewed commit: "docs(runners): remove stale bates-*/rock..." | Re-trigger Greptile}

[greptile-apps]

Stale descriptions not updated

The component descriptions still reference the old runner names. tinyland-docker-job is labeled "Rocky 8 runner job" and tinyland-nix-job is labeled "Rocky 9 runner job" — these weren't updated alongside the component name changes, leaving misleading documentation.

Suggested change

	| `tinyland-docker-job` | Rocky 8 runner job |
	| `tinyland-nix-job` | Rocky 9 runner job |
	| `tinyland-docker-job` | tinyland-docker runner job |
	| `tinyland-nix-job` | tinyland-nix runner job |

[greptile-apps]

RHEL-specific scripts on non-RHEL runners

Both test-tinyland-docker and test-tinyland-nix still run cat /etc/redhat-release and dnf list installed, which are RHEL/Rocky Linux-specific commands. Given that tinyland-docker is a generic Docker runner and tinyland-nix is a Nix runner, these commands would fail (file not found / dnf not available) on the actual runner environments after the rename. If this is intentional documentation of what these runners replaced (i.e., they still run RHEL images), a clarifying comment would help. Otherwise the scripts should be updated to reflect the actual runner environments.

[greptile-apps]

Hyphens in TF_VAR_* env var names are invalid in POSIX shells

The new names TF_VAR_tinyland-docker_runner_token and TF_VAR_tinyland-nix_runner_token contain hyphens. POSIX shell variable names may only contain letters, digits, and underscores — a hyphen is not a valid character. Anyone attempting to export these directly in a shell script would get a syntax error.

If the underlying Terraform variable names actually use hyphens, they need to be set via a .tfvars file rather than environment variables. If the intended Terraform variable names use underscores (the standard convention), the documentation should be updated to replace the hyphens with underscores: TF_VAR_tinyland_docker_runner_token and TF_VAR_tinyland_nix_runner_token.

[greptile-apps]

kubectl installed with dynamic version and no checksum verification

The Install kubectl step fetches the version dynamically from stable.txt at runtime and does not verify the binary's checksum. This means:

1. The kubectl version is non-deterministic between runs (could silently change)
2. The binary is not verified against a known-good SHA256, which is a supply-chain risk

Consider pinning a specific version and verifying the checksum. This same pattern is duplicated in the apply job (~line 142) and both should be updated together.